CVE-2025-43929

Publication date 20 April 2025

Last updated 11 July 2025

Ubuntu priority

Cvss 3 Severity Score

open_actions.py in kitty before 0.41.0 does not ask for user confirmation before running a local executable file that may have been linked from an untrusted document (e.g., a document opened in KDE ghostwriter).

Status

Show unmaintained releases

Package	Ubuntu Release	Status
kitty	25.04 plucky	Ignored changes too intrusive
	24.10 oracular	Ignored end of life, was ignored [changes too intrusive]
	24.04 LTS noble	Ignored changes too intrusive
	22.04 LTS jammy	Not affected
	20.04 LTS focal	Not affected

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
kitty	Upstream: ce5cfdd

Severity score breakdown

Parameter	Value
Base score	4.1 · Medium
Attack vector	Local
Attack complexity	High
Privileges required	None
User interaction	Required
Scope	Changed
Confidentiality	Low
Integrity impact	Low
Availability impact	None
Vector	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

CVE-2025-43929

Cvss 3 Severity Score

Status

Patch details

Severity score breakdown

References

Other references